In response to a VMware user group security survey conducted earlier this year, VMware said it would consider certain initiatives aimed at increasing awareness of security updates to its customers and provide them with additional details by way of the company's VMware Security Advisories (VMSAs). Last week, the company made good on those promises.
VMware released a host of new security patches that address multiple security vulnerabilities impacting a range of the company's virtualization products, including vCenter Server, vCenter Server Appliance, vSphere Update Manager, ESX, and ESXi. Some of the identified flaws can be used to bypass security restrictions to elevate privileges, execute malicious code, or overwrite important files. Other vulnerabilities could lead to denial-of-service (DoS) on affected products.
[ Also on InfoWorld: Pivotal adds mobile platform development with Xtreme Labs acquisition | Cloud storage provider Nirvanix is closing its doors | Track the latest trends in virtualization in InfoWorld's Virtualization Report newsletter ]
One of those vulnerabilities is a bug in vCenter Server 5.0 and 5.1 that could enable an attacker to bypass the need for valid credentials under some circumstances. In order for the vulnerability to be exploited, the affected product must be deployed in an environment that uses Active Directory with anonymous LDAP binding enabled.
This type of setup doesn't properly handle log-in credentials. The VMware advisory warns, "In this environment, authenticating to vCenter Server with a valid user name and a blank password may be successful even if a non-blank password is required for the account."
The workaround is to discontinue the use of AD anonymous LDAP binding if it is enabled in your environment.
Organizations running version 5.1 of VMware's vCenter Server Appliance (vCSA) on Linux should be aware of two other sets of vulnerabilities. The first is a remote code execution flaw that enables an attacker with stolen credentials to run existing files as root. The second vulnerability is found within the Virtual Appliance Management Interface (VAMI), where an authenticated remote attacker is allowed to upload files to an arbitrary location thereby creating new files or overwriting existing files. According to the VMware advisory, replacing certain files could result in a denial-of-service condition.
Certain versions of VMware's ESX and ESXi hypervisors (4.0, 4.1 and 5.0) are also affected. According to VMware, there is a flaw in the hostd-vmdb that could allow an attacker to cause a denial-of-service condition. In order to exploit this vulnerability, an attacker would need to intercept and modify the management traffic.
The advisory also identified a session fixation vulnerability in the vSphere Web Client Server through which an attacker could gain elevated privileges within the environment. However, exploiting this flaw may not prove easy as it requires some knowledge of the target user's session. According to VMware, an attacker would have to know a valid session ID of an already authenticated user.
In either instance, VMware said users can reduce the likelihood of these vulnerabilities from causing a problem by running vSphere components in an isolated management network to ensure that traffic does not get intercepted.
Category: julio jones Scandal Michelle Rodriguez
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.